So my name is Ricky Hill.
I'm a wireless and SCADA security consultant.
I work in the D.C. metro area, specifically my office is out of Reston, Virginia, Tenassi.
I've done previous DEF CON talks along a similar vein here.
I love flying things with all kinds of wireless equipment and other technical stuff on them.
Previously I did the war rocketing.
It was probably about eight years ago where we launched a wireless access point and collected
data over about 30 square miles.
It was good, but we didn't get a lot because you can't launch rockets in urban areas, right?
It was a rural area.
The other talk I did here that I had done previously was war ballooning.
They actually banned us from doing ‑‑ they initially gave us permission to do that.
We had a balloon with a KISMA drone payload that we were going to fly over DEF CON that
year.
That was five years ago.
Unfortunately, the city banned us and we couldn't do that.
So we went to a church ten miles out from the airport to make it legal.
Yes?
Hey, Rick.
Hey.
How's it going?
Pretty good.
What's up?
Excuse me.
Yes?
So we have this tradition at DEF CON for first‑time speakers.
You all know the drill.
Oh, no, no!
However, however, we have it on good authority that this gentleman is a liar.
And he, in fact, just wants a shot because ‑‑ and, by the way, poor the drone one.
Actually, I changed my mind.
This is excellent.
Thank you.
Thank you very much, Bob.
And ‑‑ but we'd like to raise your hand if this is your first DEF CON as an
attendee.
Humans only.
Come on, you liars.
Wait a minute.
You, the blonde.
You raised your hand, didn't you?
I can barely see under these lights.
I hope your hair is blonde.
Come on up.
All right.
First‑time attendee.
All right.
Did we ‑‑ Good stuff.
Did you ‑‑ Yep.
I'm telling you.
Thank you.
Hey, Bob.
How are you doing?
The drone gets one.
Where's mine?
Absolutely.
Oh, the drone gets one?
Yeah.
I told you to pour one for the drone.
It's already been dunked in beer, so it's not an issue.
What's your name?
It's fairly waterproof.
Crystal.
I actually work for the ‑‑ Oh, you do?
Oh, okay.
Well, everybody, this is Crystal.
Crystal, this is everybody.
Hi.
All right.
Crystal.
Let's hear it for the drones, for the drone and Crystal's first time at DEF CON.
As you were.
What do we do with the drone drink?
I'll take it.
The drone drink.
I'll take it.
Give it to Ricky.
Have another shot.
Give it to Ricky.
It's yours.
Bye.
All right.
Don't blame the next slide on me.
Where was I?
All right.
So what is ‑‑ Give me a bit.
Yeah, he's got a good point.
I don't want to cut anybody up, so we might fire it up a little bit later.
So what is this talk about?
It's about network surveillance.
It's not about ‑‑ I don't know if you guys saw it about a month ago, but cleaners
in Philadelphia, as a gag, did this, and they're delivering their dry cleaning on guess
which drone.
That's the Phantom drone right there.
And this thing, believe it or not, will lift probably about two pounds, 400 grams, whatever
that works out to.
So beer, beer works.
I haven't tried the full six‑pack, I understand some guys have.
So here's ‑‑ here on the screen is what I plan to cover today.
First we'll look at the advantages of doing wireless surveillance from the air.
You've got line of sight to everything.
It's a real easy way to get all the access points in a large area.
From a reconnaissance perspective.
Next we'll explain how this year emerging technologies have made this a possibility.
Two years ago, the payload that you see loaded on this drone would not have been possible
because of the power requirements and the size of the microelectronics on it.
In particular, we'll talk about the electronics and the hack five software improvements in
that.
And it has something on it called a cotton candy computer which is basically a USB stick
that runs full of Ubuntu or Android.
Finally I want to cover how I built, designed, built and flew the Phantom surveillance drone.
I think you guys will like it.
We've got a lot of good video here.
You'll witness successes as well as some of our oops moments that we encountered flying
the drone.
We flew a lot of missions during June and July of this year.
All right.
So the talk is really about the goodness of aerial wireless surveillance.
My previous attempts have been problematic.
As I mentioned, the rocket had problems because the whole flight was like four minutes, right?
Even from 10,000 feet, you're not going to get a lot of information in that amount of
time.
The balloon suffered from similar things.
When you launch a balloon this over the vessel, you're going to get a lot of information in
Vegas skyline.
We managed to capture Luxor and several of the strips access points from quite a distance
out.
I think it was like 7 to 10 miles.
But when you launch a balloon, it's not a real stable platform.
It tends to do this, right?
So the video from that venture looked a lot like Blair Witch.
It was pretty sickening.
So next we'll talk about what others have done, what you see on the screen here.
There was a contest that how I got the idea for this talk called DARPA UAV Forge.
DARPA UAV Forge was about a flyoff competition to design a small drone that would fit in
a soldier's rucksack, basically fit on its back, which is why the small drone.
And its purpose was to go out and land on roofs, houses, buildings, towers, whatever,
and conduct visual surveillance, like it would have been very useful, for instance, in the
Boston bombing, if you could have had surveillance anywhere you wanted it, right?
So that was the military's purpose in this.
The top picture you see there is the UAV Forge's Halo team above the competition course.
The other attempts at wireless surveillance, if some of you remember it, is the Black
Hat's WASP cellular, that yellow airplane, cellular and wireless collection spy plane.
It was pretty expensive.
I think it was military surplus.
It cost about $6,000.
The problem with all these is that…
Okay.
Are people that fly drones…
Some now want to fly them continuously in the air.
Well, when you're flying, you're using a heck of a lot of energy, right?
I mean, you don't have fuel tanks like a 747.
You're burning up battery power like mad.
The advantage of this one, of course, is that it can land and then shut off the motors.
Okay.
All right.
So UAV Forge, the UAV Forge contest, as I mentioned, introduced a very novel and progressive
idea.
That is perch and stair surveillance, right?
If you can land on something, you can shut down, conserve your battery power and then
conduct wireless, cellular, whatever other operations you want to because those electronics
in the payload are going to use a lot less power.
Okay.
All right.
So the UAV Forge concept expanded upon that primarily to perform network surveillance
and exploitation.
How many of you guys in here know what a pineapple is?
All right.
How many of you have used a pineapple?
Excellent.
Excellent.
Keep in mind throughout this presentation, it's a proof of concept for what can be done
and what the military wanted.
I'm not encouraging anybody to go out.
They can go out to land on their coffee shop roof or terrorize their neighbors.
What you do with what you learn in this talk is up to you.
So UAV Forge, 143 teams competed from 153 countries.
Guess what?
Nobody won.
Nobody met their criteria for perching on a roof and collecting photos and coming back.
They did require some autonomous operation.
But not full autonomous operation.
Does anybody know what the difference between a UAV or UAS and a drone is?
Okay.
Go ahead.
Really?
Yeah.
Yeah.
Well, some people don't know.
Pilot on the loop, pilot in the loop, the different levels of autonomy and various
things.
Yeah.
Exactly.
The key word is autonomy.
So the Phantom is an autonomous drone in the fact that it will return to home base without
any pilot intervention.
Otherwise, it's just like a UAV.
It will fly with pilot control.
So full drones, autonomous operation, in fact, was one of the Achilles heels of UAV Forge
because things like trees got in the way, right, that weren't on Google Maps.
Okay.
Well, guess what?
It doesn't do trees well.
So here's a review of UAV Forge.
As you can see, it's pretty self‑explanatory, a lot of crashes.
Out of all those teams, out of a dozen teams in the final competition, the average time
to crash between take‑off and crash was three minutes.
Right?
Yeah.
I mean, it's just ludicrous.
Right?
And this is only two years ago.
So that's what I want to impress upon you is how much the technology has changed.
That's not a good bet for an aircraft that costs upwards of $10,000.
Right?
I don't even think the Army wants to buy that.
Well, I don't know.
All right.
So the Phantom just came out in January of this year.
I found out about it because a friend of a friend I work with was doing some Grand
Canyon white water rafting, and she said her cousin or whatever ran this company that
does ‑‑ that flies Phantoms and other drones.
Phantoms over the Grand Canyon films people going down.
The Phantom also comes with a GoPro mount, if you guys are familiar with sports GoPro
cameras.
Excellent pictures from the air.
So that's how I got the idea and bought ‑‑ went out and I was addicted once I saw all
these videos on YouTube.
I'm like, oh, this thing is really cool.
Look what I can do with it.
And furthermore, you know, it flies really good.
I can't tell you how many of the little RC helicopters I've crashed.
I mean, I suck as a pilot.
Right?
So I suck as a pilot, but you know what?
GPS, accelerometers and all the guts inside that thing make me rock.
They are great.
It also has other safety features built in, such as a two‑stick start‑up.
What that means is, if you've ever flown RC before, is if you accidentally turn on
it with the throttle up, then you can, like, eat up your friend's hand, you know, fly up
into the ceiling if you're indoors, whatever.
One stick is easy to get out of the way.
Like you can see here, it's not going to do anything with one stick.
It requires positive, both hands to the left to take off.
Very nice feature.
I also consider the return‑to‑home capability that they advertise and works, you'll see
it in just a bit, to be the most valuable.
If for any reason your flight gets into trouble, guess what?
You can just turn off the transmitter here, the drone says, okay, I lost communication,
or even if my battery goes low, I'm going to come back to where I took off from.
So the technological improvements that I talked ‑‑ that I spoke about earlier, the cotton‑candy
computer was one.
Let me just show you that.
I've got one right here.
So the cotton‑candy is basically this white USB stick.
It debuted at the 2011 computer electronics show in Las Vegas.
This thing runs full Ubuntu or Android operating system.
Um…
It makes a…
It's an excellent platform for hooking in, for instance, this Y spy spectrum analyzer.
It also can do Zigbee collection.
If you guys are familiar with the Zigbee and the killer bee, Joshua Wright's killer
bee, we've ran all of those payloads on the drone in the last month.
Let me put my drone back up.
It's lonely.
And finally, I can't emphasize how much of a joy this thing is to fly.
It's just incredible when it's in GPS mode, so.
Anybody fly helicopters?
RC?
Okay.
We got a few people.
How many crashes have you had?
Okay.
That says it all right there.
Okay.
All right.
So this is a look at the two payloads.
Sorry, the pictures are a little fuzzy.
Again, the main payload we've used for this thing is the hack 5 pineapple, which you can
see underneath the copter right here, and, of course, the other one I have is a cotton
candy I just showed you.
The pineapple required quite a bit of modification and quite a bit of work to get going because
lofting things in the air requires a lot of work.
It requires a lot of power, so it required a custom power supply, and, for instance,
on the swap space on the Unix system required UUID mounts instead of regular mounts.
It literally took me, like, a month to get that payload configured.
And I finally got it configured with a T-Mobile GSM modem because all the other ones, they
just suck power.
The CDMA, the typical USB stick modems just suck power.
So my opinion, cotton candy is the perfect headless computer to use for an aerial payload.
The trick with it is because it takes power from its USB port is once you connect the
USB port and put it on the helicopter, you just killed your computer, right?
Well, there's a workaround for that.
You supply it with a LiPo battery power.
And an Apple Bluetooth and keyboard.
Guess what?
You can now detach your Bluetooth keyboard and mouse and you're good to go on the helicopter.
You've got whatever you want running is now still running, right?
So in my case, it's AeroDump NG, it's Y-Spy Spectrum Analyzer and the other payloads that
we've talked about before.
Basically any USB device that you can run, you can fly with this cotton candy computer.
Okay.
All right.
So let me show you what the cotton candy looks like.
It actually will also act as a virtual computer when you plug it into a laptop.
So let's do that.
Okay.
I did pray to the demo gods.
No, but I took two shots.
Okay.
Installing.
Okay.
Let's go to software.
Here we go.
Okay.
The goat will happen next time.
Sorry.
Come on.
Okay.
Let's go.
All right.
All right.
I'll know next time.
Let me know.
Do you have goats for sale?
Goats eat.
Please.
Okay.
All right.
All right. This is our first flight with the wide-spot spectrum analyzer. This is a neighborhood
overlooking a lake. It happens to be a neighborhood overlooking a lake in Culpeper, Virginia.
So it's a cool place to fly choppers because there aren't many trees on waterfront properties,
right? So it's easy to fly and buzz neighborhoods, do whatever you want, right? That's why we
chose it. This is the collection off that. Approximately ‑‑ we flew approximately
up to about 200 feet and got all this data. This particular subdivision only had about
20 houses. And we did a 10‑minute overflight. So as you can see, there's a lot of stuff
on Channel 9. Plenty of data there.
Okay.
Okay. So we found a lot of wireless sources. So now what? Well, the now what is ‑‑ wait
a minute, wait a minute. I want to make sure I'm not skipping something here. We found
802.11 sources. So, okay, big deal, right? Well, that's when I got the idea to do the
wireless pineapple. The hack five pineapple provides numerous wireless surveying and exploitation
packages. You can even do meta sploit on the pineapple. Pineapple basically is a router that
acts as a man in the middle for unsecured wireless networks. If you connect an Android
phone, I've captured a number of Android and Apple phones that connect instantly to it,
basically I'm man in the middle and I'm providing your internet connection. So I can do anything I
want, right? Again, Pinpoint is the – if you're an Android user and you're using Pinpoint, you'll
again, the payload objectives for the flying pineapple were the same as for DARPA. That
is to land on a unique vantage point. That can be a cell tower. It could be a hotel balcony.
It could be, you know, anything you can think of that's hard to get to, right? Conduct your
operations and return the Phantom safely to the starting point.
So I'm lazy. I don't want to construct the standard Vizio diagram, so I just did the I stole
TAC-5s. Thank you, Darren and Robin. This is episode 1112. How this works is that the team,
there can be a wireless exploitation team on the Internet anywhere and through the GSM modem,
they're going to be able to talk to the pineapple.
And conduct operations on the pineapple. That's how it works. There's a relay server we call
Hawaii that's out on the Internet that enables that. Here's a short list of the pineapple's
capabilities. As you see, URL snarf, DNS spoofing, SSL strip, aero dump NG runs great in flight
because it doesn't transmit anything. The only other thing I would caution you, if you want to do
this, this is 2.4 gigahertz, okay? If you're running that with the receiver on board the Phantom
and you're doing wireless ops with the payload, guess what? You're in the same band. You may not be
looking so good. They're theoretically supposed to work. I've seen numerous blogs on the Internet
for you just crashed your $700 Phantom. So monitor mode only in flight is the way to go. And that
works.
Thank you.
That sucks. Sorry. I'm going to skip here. I forgot to show you this video. This is pretty cool.
Watch this. This is the return to home feature of the Phantom.
So basically what I did is take this thing out in a field. This is my last test that I did, by the way.
I turned off the transmitter. And you can see it landed near my gym bag like three feet from the
same point it took off from. That's the GPS and the NASM controller on it.
All right. So the next mission we did was we went out on my Sea Ray boat and we decided a good
place to check to see how many people had wireless was on the beach. At this particular beach is at
Lake Anna. We ran Airman NG as I had spoken about before. No, we were not looking for bikinis.
We were just looking for how many people were using their Androids and other wireless devices on
the beach.
Here's the港.
Notice the pylons added to the drone. Worked quite well. If you guys know Kids Noodles, I know that one will
me above the water, so it worked really cool. We're flying out here about like one of those
little advertising planes does at, you know, Virginia Beach, and we just buzzed the whole
beach area, which is probably about a football field long, so you can see right here.
So down at the other end, you know, we started to get people's attention. Thank goodness
the lifeguards did not chase us off, but probably altitude of about 100 feet here, and we're
collecting all while we're flying, right? I'm running low on time here, so I'm going
to speed this up. Here's the landing. The battery went dead. Watch this.
It actually died. I actually had no control at that point. My friend, Mr. Nick Hopper,
jumped in and did helicopter search and rescue. I have never seen a man swim so good. He jumped
in, boom, held the thing out, got it, held it over his head, and swam like 50 feet back
to the boat. So incredible. Actually, 100 feet. Thank you, Nick.
Okay.
All right. So I had bragged to one of my friends that I had not crashed the Phantom
yet, and we'd been doing ops with it about a month, and unfortunately, there were some
old known moments, but I think you'll find these interesting. We now have moved on to
the phase where we've done aero collection, and we're going to do a little bit of a
DARPA thing where we want to land on and collect information from roofs or other interesting
places, right? So the first thought was, well, let's perform a test flight, and the
second thought is, let's land on a balcony. Hey, you know, we could land on the Marriott
or whatever and just check out somebody's room and do the pineapple wireless thing,
right? Okay. We'll see how that looks.
.
.
.
.
.
We're going to see who gets the highest test flight number one.
.
.
Okay. Pan right. This was a stormy evening fairly windy. I'd had only two beers at this
point, not two shots. But watch.
.
.
.
.
.
Yeah, that's about 75 feet at least, so not so good.
What you see here on stage is Phantom V2.
Oops, one more clip here.
This is our balcony shot where we were trying to land on a balcony just to see if it could be done.
There you go.
Oh, no.
About an inch short on that leg. Watch.
Damn, you're a good man.
Also, Mr. Nick Hopler.
There you go.
This is a look at the reconstruction of the Phantom.
What you see in the center there, that red thing, is the NASM controller, very sophisticated.
It uses a GPS accelerometer and even uses a compass on the leg there in order to orient itself in space.
I've seen advertised GPS...
That it's no better than, like, six to nine feet or something.
This thing actually does better than that.
It does a space about this wide, and it will hover in place with that controller.
The Phantom has no moving parts other than the propellers on top there.
What you see on the ends are called the ESCs, the electronic speed controllers.
They're on each thing.
The damage, the only damage this thing had was one of the ends right here.
You can see the end.
When it did that full head-on impact, it bent it about 20 degrees so that that particular propeller was off.
The only way to fix that, it's like a crustacean.
It's got a hard shell.
The new shell's 60 bucks.
So that's 60 bucks and about an eight-hour rebuild.
All right.
So mission number three is actually an attempt to do the DARPA mission.
That's to do a rooftop landing.
We did quite a few rooftop landings.
I'm going to show you the best one here.
We ran AirMod NG.
Before we landed, after we landed, we did site surveys.
We did some URL snarfs.
And I can tell you, these, you know, by virtue of wireless, these are great vantage points.
Because you land on somebody's roof, guess what?
You don't need a high-gain antenna.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
You're there.
so so the thing is this is with a zoom lens this thing is actually pretty far away
the problem is if you as a pilot attempt to start to land on a roof you lose the farther the object
is from you the more depth reception you lose right so there is an onboard camera i can show
you guys after but it's it's about the size of a postage stamp uh first person view camera that i
was looking at to see what's on the roof so if you're wondering why i'm hanging up there there's
a there's a corrugated thing on the platform in front with about this much dip on it that i'm
wondering if i can ever get my helicopter off i'm like no you know that doesn't look so good let's
back up a hair here so
so decided to abort the rooftop landing and go for the actual platform there
so there's the chopper going down
so
this is a clubhouse on the lake by the way there you can see their lawn chair their grill
they
there were no people here thankfully at this point
now we all held our breaths as we uh well actually actually we did we did a few ops
before this the video has been clipped together but we held our breaths and did the takeoff
and voila
all right
thanks
So we did encounter a couple places and what you have to worry about when flying drones
or you're doing surveillance is, you know, if you're doing private property or whatever
that people might be pissed off that you're trying to collect their wireless or flying
a drone outside their window. Right? I mean, it's natural. I personally have shotguns for
that purpose. Watch this. Oops. We're not going to stay here. Let's get the hell out
of there. That thing will do 35 miles an hour, by the way.
These are just a few of the results. I know they're hard to see, but SSL strip, I actually
hacked and got my own.
My own password with SSL strip. Basically what it does, it collects. As man in the middle,
you don't have SSL anymore. Right? Because I'm providing your Internet.
You all snarf the same way. I'm basically getting every website you're going to. So
that's results there. We did compare ourselves to UAV Forge team scores. I know they're
hard to see, but the scores go from zero to 100. All the teams failed. Nobody even made
the baseline.
I'm sorry. Let's go down one here. One team, Team Halo, made 47 points. The Phantom, if
we score it by the score, it scored above like 10 out of 12 helicopters two years ago
based on autonomous return to home, avoiding obstacles and other baselines. If you want
to see more, want to learn more about drones in UAV Forge, go look at uavforge.net.
It's a very interesting contest. And you can see a lot more crashes there.
So future work, we pretty much proved that Perch Listen and Engage will work for wireless
network surveillance. It's also a highly effective site survey tool. The take away
from this is that, you know, drones and UAVs can be used for good or bad. Right? It's a
great, I mean, they can be used to peer in people's windows. They can be used to collect
information at coffee shops, other important places. Or they can be used by the military
overseas. You know, they're sort of, you know, it's in the mind of the beholder, basically,
right, as to what they're used for. We hope they're used for good. So keep that in mind
if you guys are interested in flying or keeping drones flying. Because right now the FAA is
evaluating who's going to be flying. Who's going to be flying. Who's going to be flying.
Who's going to be able to fly drones in the United States and where. And that's due out,
I believe, mid-2014 or 2015. Right now I flew under the rules that say no commercial
entity sponsored me. I'm flying under model association rules wherein I have to maintain
an altitude of under 400 feet. If any of you guys fly, I implore you, and here's the disclaimers,
to not fly this without permission.
Without experience. If you don't have experience flying a drone, you know, don't start with
a $700 helicopter, right? Also, don't fly anywhere near an airport because 400 feet
is not a lot. I was going to do a, before we decided on our lake trip, I went to a place
near the Potomac River, which, as you know, borders D.C., and thought, oh, this is a
cool resort. Let's do some drone operations here. Bad idea. Went out there, bunch of golfers,
weren't on my balcony. You already saw the balcony crash where Nick collected the copter.
Well, that would have been a golfer's head, right? Think about it. The other thing is
over the Potomac, there's the approach to Reagan National Airport, which was about ten
miles out. I thought, well, there couldn't be any airplanes there. Are there going to
be thousands of feet up? No. They're like 800 to 1,000 feet, well within the capability
of this drone. So bad idea. If you're going to fly anywhere, make sure you get with somebody
in our local RC club or whatever.
And make sure that you're doing the right thing and you're not endangering people, right?
It's all fun. We had a great time doing this. This is one tip I have for you and I can show
you guys afterwards. It's an altimeter. It's just a USB stick, basically, right? You can
get on the elevator, punch the zero at the bottom floor and tell how high you got, right?
It fits well in just about any copter you want to fly.
What's 400 feet?
For the Phanos, it's 400 feet.
It's about as far as you can see. When it starts to get to where you can't see
it anymore, well, you know, you're too high. You're in aircraft space now. So, again, that's
about it. Let's see what we got here.
Some shout outs to Nancy Alpha Ops Team. Helped me out a lot with this as far as flight
operations. Nick Hopler in particular. Mr. Search and Rescue right here. Thank you very
much, Nick.
Thank you.
And the Hobby Hangar in Chantilly, Virginia. I had the advantage of having two blocks from
my house. I can go out and get parts for the Phantom or whatever I want, right? So
I will leave you with this final thought here on the screen.
Thank you very much.
